[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: risks of MACs associated with packets




I think, as I believe Phil Karn does, that you want authentication
to be outside of your encyrption so that it is less work to throw
away bogus packets and so that intermediate points can, if properly
configured, authenticate the message without reading it.

Donald

From:  perry@imsi.com (Perry E. Metzger)
To:  ipsec@ans.net
Cc:  perry@imsi.com
Reply-To:  perry@imsi.com
X-Reposting-Policy:  redistribute only with permission
>A small serious question about message authenticators in the ESP (not
>the AH!) environment.
>
>Now, we all seem to be pretty happy with keyed hashes as
>authenticators -- but we are using no initialization vectors on these
>things. That means that the odds of two identical payload messages
>having identical authenticators is very high (especially since the
>only part of the packets likely to vary is the Ident field in the IPv4
>packet, which is very short -- in an IPv6 packet no portion would vary
>at all!)
>
>This makes for the following question: should we be 
>
>1) adding initialization vectors to our authenticators? (I vote no).
>2) placing our authenticators in the ESP under protection of the
>   crypto algorithm? (Might make for extra crypto work.)
>3) Authenticating the cyphertext instead of the cleartext?
>4) something else?
>
>I vote for 2 or 3, with my current leaning to 3 since its somewhat
>ligher weight. Of course, 2 has the nice property that before they can
>even start to attack your authenticator they have to break your
>cipher, but of course in 3 it might be hard for them to fake you out
>for long even if they do manage to fake authenticators on you. The
>issues merit discussion.
>
>In either case, we have to use different keys for our keyed hashes
>from the ones our ciphers are using or we make cryptanalysis just a
>bit too easy for my tastes (any comments on that?)...
>
>Perry


References: